Samsung Knox, SEAMS, and SAFE
Endpoint Management supports and extends both Samsung for Enterprise (SAFE) and Samsung Knox policies on compatible Samsung devices. Samsung Knox includes the SE for Android Management Service (SEAMS). SEAMS provides API-level control of the Samsung security policy engine.
To control how and when Android devices connect to the Endpoint Management service, use Firebase Cloud Messaging (FCM). For information, see Firebase Cloud Messaging.
Endpoint Management enrolls Android devices into MDM+MAM or MDM mode, with the option for users to register in MAM-only mode. Endpoint Management supports the following authentication types for Android devices in MDM+MAM mode. For information, see the articles under Certificates and authentication.
- Domain plus security token
- Client certificate
- Client certificate plus domain
- Identity providers:
- Azure Active Directory
- Citrix Identity provider
Another rarely used authentication method is client certificate plus security token. For information, see https://support.citrix.com/article/CTX215200.
A general workflow for starting Android device management is as follows:
Choose and configure an enrollment method. See Supported enrollment methods.
Set up device and app security actions. See Security actions.
For supported operating systems, see Supported device operating systems.
Supported enrollment methods
The following table lists the enrollment methods that Endpoint Management supports for Android devices:
|Bulk enrollment||Yes (Knox)|
You can use Samsung Knox Mobile Enrollment to enroll multiple Samsung Knox devices into Endpoint Management (or any mobile device manager) without manually configuring each device. For information, see Samsung Knox Bulk Enrollment.
For information about enrolling devices, see Enroll Android devices.
Deploy Samsung license keys
Samsung has Enterprise License Management (ELM) keys and Knox License Management (KLM) keys. You purchase Samsung licenses from Samsung.
Knox: The Knox platform requires that you purchase a Samsung Knox Workspace license. To enable the Knox APIs and deploy Knox policies and restrictions to devices, first configure the Endpoint Management device policy, Samsung MDM license key. To activate Knox, you must push at least one Restriction device policy specifically for Knox along with the ELM and KLMS key.
For HTC-specific policies, Endpoint Management supports HTC API version 0.5.0. For Sony-specific policies, Endpoint Management supports Sony Enterprise SDK 2.0.
SAFE: Deploy the built-in Samsung ELM key to a device before deploying SAFE policies and restrictions. To deploy that key, configure the Endpoint Management device policy, Samsung MDM license key.
Samsung Enterprise Firmware-Over-The-Air (E-FOTA) service
Endpoint Management also supports the Samsung Enterprise Firmware-Over-The-Air (E-FOTA) service. Samsung E-FOTA lets you determine when devices get updated, determine the firmware version to use, and test updates before deploying them. For information, see Configure Samsung E-FOTA settings.
Enable Samsung Knox attestation
You can configure Endpoint Management to query the Samsung Knox attestation server REST APIs.
Samsung Knox applies hardware security capabilities that provide multiple levels of protection for the operating system and applications. One level of this security resides at the platform through attestation. An attestation server provides verification of the mobile device core system software (for example, the boot loaders and kernel). The verification occurs at runtime based on data collected during trusted boot.
In the Endpoint Management web console, click the gear icon in the upper-right corner. The Settings page appears.
Click Samsung Knox.
Set Enable Samsung Knox attestation to Yes to enable Samsung Knox attestation. The default is No.
In the Web service URL list, do one of the following:
Click the appropriate attestation server.
Click Add new and then enter the Web service URL.
Click Test Connection to verify the connection. A success or failure message appears.
Configure Samsung device policies
Device policies for Samsung Knox:
|App Restrictions||App Uninstall||Browser|
|Copy Apps to Samsung Container||Exchange||Knox Platform for Enterprise key|
|Passcode||Restrictions||Samsung MDM License key|
Device policies for Samsung SAFE:
|App Uninstall Restrictions||Browser||Exchange|
|Firewall||Kiosk||Knox Platform for Enterprise|
|OS update||Restrictions||Samsung MDM License key|
Device policies for Samsung SEAMS:
|Copy Apps to Samsung Container|
Android supports the following security actions. For a description of each security action, see Security actions.
|App Lock||App Wipe||Certificate Renewal|
|Lock and Reset Password||Notify||Revoke|
For devices running Android 6.0 and greater, the Locate security action requires the user to grant Location permission during enrollment. The user can opt not to grant Location permission. If the user doesn’t grant the permission during enrollment, Endpoint Management again requests location permission when sending the Locate command.